Lenovo Class Action Tests New ‘Bulk Transfer’ Theory for Web Tracking Data

A new putative class action in the Northern District of California (Case No. 3:26-cv-01133) targets Lenovo’s use of third‑party tracking pixels on its U.S. website, advancing a novel “bulk transfer” theory that links routine web analytics to cross‑border data restrictions under federal law. The February 5, 2026 filing alleges that sharing sensitive browsing data with a Chinese parent violates the DOJ’s 2025 Bulk Transfer Rule, and therefore strips Lenovo of the usual “party exception” defense under the Electronic Communications Privacy Act (ECPA). For companies with international affiliates, the outcome may increase litigation risk when they move consumer web data across borders, even for standard analytics and marketing purposes.

An Emerging Litigation Strategy: The Bulk Transfer Workaround

ECPA and CIPA claims targeting website owners have previously been limited by “party exceptions.” California is an "all-party" consent state, meaning it is unlawful for anyone, including a participant in a conversation, to record a communication without the consent of all parties involved. However, California courts have recognized an eavesdropping “party exception” for website operators, holding that a website operator cannot be liable for eavesdropping on a conversation when it is a participant in the conversation, only when it aids and abets in eavesdropping by an outside party.^[1] Federal law, on the other hand, requires only one-party consent, so a party can generally record a conversation or use a third-party tracking tool on its website without the consent of the other party, creating a “party exception” by default.

However, under ECPA, a carve-out to one-party consent is the "crime-tort exception," which applies when data is intercepted for the purpose of committing a crime or tort. This federal exception is what the plaintiffs in the Lenovo case are targeting with their invocation of the 2025 DOJ Bulk Transfer Rule, which prohibits the transfer of bulk sensitive data to certain foreign countries, such as China.   Here, plaintiffs assert that sharing user data with a Chinese parent company, without robust disclosures or compliance with DOJ guidelines, removes Lenovo from safe harbor protections and triggers liability under both state and federal law.

Plaintiffs assert the DOJ Bulk Transfer Rule negates the one-party consent exception under federal law when data is transferred to prohibited third parties. If a website operator violates the rule, it potentially violates the crime-tort exception under ECPA, which consequently would strip Lenovo of its party exception defense and allows that claim to proceed, with its threat of statutory damages.  Lenovo is also accused of violating CIPA by using tracking pixels without all-party consent, thus aiding and assisting third party eavesdropping.

Implications and Next Steps

It remains uncertain whether courts will accept plaintiffs’ attempt to use the DOJ Bulk Transfer Rule as a new way around ECPA’s one-party consent. Lenovo is expected to challenge both the factual allegations regarding data flows and the applicability of the DOJ Bulk Transfer Rule to consumer-facing web tracking.^[2]

More broadly, though, this action underscores risks for companies with international operations that collect U.S. consumer data, including through embedded web technologies. Plaintiffs’ theory, if successful, could significantly increase the risk of cross-border sharing of analytics and marketing data, even among corporate affiliates.

The Orrick team will continue to monitor this case and related litigation. If you have any questions about these developments, contact: [S. Yavorsky] [R. Harlow]

Link to complaint: https://www.classaction.org/media/christy-v-lenovo-united-states-inc-complaint.pdf